- If an individual employed by an information sharing entity acts in good faith and with reasonable care when sharing information under the scheme, they will not be held liable.
- The Child Information Sharing Scheme includes offences for unauthorised and intentional or reckless use or disclosure of confidential information and for impersonating an information sharing entity.
- Information sharing entities should have procedures in place for dealing with complaints made in relation to the scheme, including privacy complaints by individuals, and should make these available.
Protection for individual workers
A person who is authorised to share information under the scheme, who acts in good faith and with reasonable care when sharing information will:
- not be held liable for any criminal, civil or disciplinary action for providing the information (including the offences set out below)
- not be in breach of any code of professional ethics or considered to have departed from any accepted standards of professional conduct.
This protection from liability applies only to individuals, not organisations.
Generally, a person may be considered to have acted in good faith and reasonable care when they can demonstrate that they:
- shared information in accordance with their obligations, functions and authorisations
- intended for the information to be shared for the purpose of promoting the wellbeing and safety of a child and not for another purpose
- did not act maliciously, recklessly or negligently when exercising their power to share information.
Record keeping in compliance with the requirements in Chapter 5 provides a good foundation for demonstrating that a professional acted in good faith.
Offences and penalties may apply if information is shared in ways that are not permitted by the Child Information Sharing Scheme as follows:
- The offence of unauthorised use or disclosure of confidential information includes a fine of 60 penalty units for a person or 300 penalty units for a body corporate. If a person charged with this offence can demonstrate that they acted in good faith and with reasonable care when sharing information, then they will not be held liable.
- The offence of intentional or reckless unauthorised use or disclosure includes penalties of imprisonment of up to five years and/or a fine of 600 penalty units for an individual, or a fine of 3,000 penalty units for a body corporate.
- The offence of falsely claiming to be an information sharing entity or an authorised representative of an information sharing entity – or knowingly allowing someone else to believe that you are – includes a fine of 60 penalty units for a person or 300 penalty units for a body corporate.
These offences do not apply to a child or their parents or people living with a child who have been provided with information by an information sharing entity for the purposes of managing a risk to the safety of the child under the scheme. Other offences that will apply include any applicable Commonwealth offences and those in relation to secrecy and confidentiality provisions that continue to apply (see Chapter 4).
Complaints about information sharing
An information sharing entity may submit a complaint to another information sharing entity about how they have undertaken any activities under the Child Information Sharing Scheme, including if a request for information has not been fulfilled.
Individuals should make complaints about breaches of a person’s privacy directly to the relevant information sharing entity in the first instance. Information sharing entities should have procedures in place for dealing with complaints made in relation to the scheme, and should make these available. Information sharing entities must also keep records of any complaints (see Chapter 5).
Privacy complaints may also be made to external oversight bodies. Procedures for making these complaints differ depending on whether an organisation is bound by Victorian or Commonwealth privacy laws, as outlined below.
Complaints under Victorian privacy laws
Complaints in relation to the collection, use or disclosure of personal information by information sharing entities may be made to the Office of the Victorian Information Commissioner.
Complaints in relation to the collection, use or disclosure of health information by information sharing entities (whether they are public or private sector organisations) may be made to the Health Complaints Commissioner.
The Office of the Victorian Information Commissioner or Health Complaints Commissioner can attempt to resolve the complaint through conciliation processes.
In serious cases, the Health Complaints Commissioner is able to investigate the matter. The Health Complaints Commissioner can also issue compliance notices for serious or deliberate privacy breaches arising from disclosures made under the scheme.
Complaints under Commonwealth privacy law
If the Privacy Act (Cth) applies, a complaint may be made to the Office of the Australian Information Commissioner (OAIC).
If the OAIC chooses to investigate a complaint and it is considered likely that an interference with privacy has occurred, the OAIC may refer the matter to conciliation. If conciliation is not appropriate or does not resolve the complaint, then the OAIC may consider enforcement action.
For further information, please refer to the Office of the Australian Information Commissioner website www.oaic.gov.au.